Case for Micro Segmenting Student Dorm Wifi Networks

By January 10, 2019 No Comments

Challenges with Providing Wi-Fi in Student Dorms:

Student Dorms are one of the most challenging environments for deploying a Wi-Fi network. I want to make a case for why a “micro-segmented” Wi-Fi network deployment strategy makes perfect sense in this environment. Before we do that lets understand some of the actual challenges IT admins encounter in this scenario. These are not in any particular order but are part of any conversation you have with folks managing these networks.

  1. Securely Onboarding Students based on their centrally administered credentials (e.g. Microsoft AD). This is helpful in many ways. One example is that for troubleshooting. Like Wired Networks you want to be able to trace to not just a mac address but also an actual user, one that is part of the student network ecosystem.
  2. Ensuring End to End encrypted connection while accessing resources internally in the system.
  3. Ensuring the system is resilient enough to be able to prevent “bad actors” from bringing the entire network down. This could also be done accidentally.
  4. Ensuring excellent RF coverage inside the student rooms. Traditional hallway deployments have been a pain with this. Inside Bedrooms rarely get good coverage.
  5. Efficient rationing of bandwidth to ensure there is always enough available for everyone to use. P2P traffic is especially high in such networks and dynamic rationing policies help make sure no one device ends up hogging the bandwidth pipe.
  6. Content Filtering to ensure network resources are used to access age appropriate content.

The biggest challenge that is rarely ever discussed is the fact that wireless devices inside every dorm unit need to be able to communicate with each other effectively with each other. Below are a few solid use cases for this.

  1. AUTO DISCOVERY! Devices need to be able to auto discover only the PRINTER in their unit and to able to print from any mobile device that is part of that dorm unit from ANYWHERE on CAMPUS. Most campus Wi-Fi networks are a giant L2 segment with everyone sharing the same L2 domain. This generates a hell of an auto discovery issue where the mobile device sees a huge list of printers every time it tries to auto discover. This can even apply to a streaming device like a ROKU, CHROMECAST, APPLE TV etc.
  2. GAMING! No surprises here. XBOX & PlayStation devices are very common in student dorm units and these devices need to be able to effectively work. For them to do so the most common use case is that of “Matchmaking” where gamers can interact with each other and join online network to play with each other. This feature requires certain well known XBOX/Playstation ports be opened up on the firewall to allow for immediate interoperation. How can this problem be solved when you have a single PUBLIC IP (In most cases, some may have backup lines or such but you get the point) being shared for the entire campus? Every unit needs its own public IP in this case.
  3. SMART SENSORS! This one’s not very common in dormitories though it’s getting there. IOT Hubs like Samsung’s very own SmartThings Hub controlling a myriad of motion sensing sensors or smart door locks are slowly but surely becoming commonplace in the MDU vertical. The ability to be able to control your own door lock via an app becomes yet another challenge in the case where everyone is sharing the same L2 segment.


The more we list these challenges the more it becomes clear that these are not much of an issue when we have them deployed in residential units. They all seamlessly work. That’s because every one of these residential unit have their own private L2/L3 domain that is only limited to them and they all get their own PUBLIC IP from the carrier with the help of residential gateway (rGW) for which most service providers charge a monthly “rental”. So then why not get a carrier to come in and populate every student dorm unit with a “residential gateway” and call it a day. This approach has been tried and has failed miserably. IT guys have absolutely no control over such a disastrous setup, they are not able to meet any of the ideal requirements we listed in the first part of the blog. What to do with these gateways when students move out and new students move in? What happens if the students are anywhere else on campus? What happens to massive RF environment with SO many SSID’s floating around. It is just NOT an “Enterprise Grade” solution. Its band aid after band aid after band aid.

Solution is simple, we need an Enterprise Grade Wi-Fi network (Samsung Enterprise Wi-Fi) that can handle the high device density, provide good coverage, seamless roaming and centralized control coupled with a backend SDN orchestration engine that can dynamically trigger policies based on anomalous network events (Samsung AXIS).  This solution also enables us to micro segment using dynamic VLANs. So, every dorm unit will be in its own segmented private network with its own Public IP address. This way each unit gets their own Virtual residential gateway (vRGW).

Here’s how the solution works.

  1. The IT team gets a block of public IP addresses from the carrier along with the bandwidth (Typically 1 per dorm room). Samsung AXIS WAN port is configured with this IP block.
  2. AXIS LAN port will be configured with a number of VLANs (Typically 1 per unit) that will TRUNK to the Wireless controller.
  3. Samsung AXIS also Ties into the centralized Active Directory to validate Student credentials when the log on to Wi-Fi.
  4. On the Wireless Controller A single WLAN profile is configured for the Student Network with dynamic VLAN interfaces.
  5. The WLAN is configured with WPA2 Enterprise security which ties into SAMSUNG AXIS via RADIUS to onboard student devices.
  6. Dorm Rooms have in room Aps (typically 1 per room) all of which broadcast a single SSID.
  7. Students log on to Wi-Fi via the SSID and enter their credentials which are validated against the AD.
  8. Once Validated, the Samsung AXIS solution places the students in the appropriate VLAN which is typically tied to their room. This now acts as a private network for the room. Students can now go ahead and access the Virtual Residential gateway portal which allows them to add their devices like XBOX, Chromecast, SmartThings Hub, additional tablets. This also works to create Port forwards for XBOX or any other application that needs one.
  9. Once micro segmented this way the IT admins have complete control over how much bandwidth to allocate per unit or per user or per application. This takes care of bandwidth rationing. Similarly, content filters can be applied universally.
  10. AUTO DISCOVERY, STREAMING etc. all works flawless throughout the campus. A student can access/print/stream while being anywhere on campus as they are always part of the same VLAN throughout.

This solution is cleaner, efficient and solves ALL the challenges faced by IT Administrators that manage large scale Campus deployments.

stay connected.

Sign up and be the first to see our latest technology innovations.

Email Address

First Name

Last Name